Bug 109105 - security.mac.bsdextended.firstmatch_enabled is not enabled
Summary: security.mac.bsdextended.firstmatch_enabled is not enabled
Status: Open
Alias: None
Product: Documentation
Classification: Unclassified
Component: Manual Pages (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2007-02-12 20:00 UTC by Dr. Markus Waldeck
Modified: 2019-12-16 21:27 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dr. Markus Waldeck 2007-02-12 20:00:11 UTC
CUSTOM kernel:
options MAC
kldload mac_bsdextended.ko

% sysctl security.mac.bsdextended.firstmatch_enabled
security.mac.bsdextended.firstmatch_enabled: 0

man mac_bsdextended
security.mac.bsdextended.firstmatch_enabled
        Toggle between the old all rules match functionality and the new
        first rule matches functionality.  This is enabled by default.

The value 0 means disabled not enabled!

How-To-Repeat: % sysctl security.mac.bsdextended.firstmatch_enabled

% man mac_bsdextended
Comment 1 Remko Lodder freebsd_committer 2007-02-12 21:03:01 UTC
Dr. Markus Waldeck wrote:
> 
>> Description:
> CUSTOM kernel:
> options MAC
> kldload mac_bsdextended.ko
> 
> % sysctl security.mac.bsdextended.firstmatch_enabled
> security.mac.bsdextended.firstmatch_enabled: 0
> 
> man mac_bsdextended
> security.mac.bsdextended.firstmatch_enabled
>         Toggle between the old all rules match functionality and the new
>         first rule matches functionality.  This is enabled by default.
> 
> The value 0 means disabled not enabled!
>> How-To-Repeat:
> % sysctl security.mac.bsdextended.firstmatch_enabled
> 
> % man mac_bsdextended
> 

Hello (again),

When are you going to read my emails about asking
you over and over again, to give these things a bit
of discussion before you are submitting PR's? A
little discussion with the developers of the MAC
framework could give the proper idea about what is
going on. Perhaps the documentation is OK and the
code is wrong, or the other way around.

You might think that I am a bit grumpy, and yes I am.

The PR tickets are not for Support questions (Which
this initially is) but for confirmed problems which
should be resolved. We cannot resolve this prior to
have some investigation going on.

So AGAIN: Please ask / discuss these things on the various
mailinglists before submitting a ticket to make things more
concrete, this will help FreeBSD, you and others!

Thanks for your understanding and coorporation.



-- 
Kind regards,

      Remko Lodder               ** remko@elvandar.org
      FreeBSD                    ** remko@FreeBSD.org

      /* Quis custodiet ipsos custodes */
Comment 2 Remko Lodder freebsd_committer 2007-02-13 16:15:11 UTC
Responsible Changed
From-To: freebsd-doc->trhodes

Tom wanted to have a look at this (Thanks Tom)
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:06 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped
Comment 4 sigsys 2019-12-16 20:22:38 UTC
I was looking into ugidfw when I found this issue as well.

firstmatch_enabled isn't being initialized properly.


Index: sys/security/mac_bsdextended/mac_bsdextended.c
===================================================================
--- sys/security/mac_bsdextended/mac_bsdextended.c	(revision 355771)
+++ sys/security/mac_bsdextended/mac_bsdextended.c	(working copy)
@@ -108,9 +108,9 @@
  * between the new mode (first rule matches) and the old functionality (all
  * rules match).
  */
-static int ugidfw_firstmatch_enabled;
+static int ugidfw_firstmatch_enabled = 1;
 SYSCTL_INT(_security_mac_bsdextended, OID_AUTO, firstmatch_enabled,
-    CTLFLAG_RW, &ugidfw_firstmatch_enabled, 1,
+    CTLFLAG_RW, &ugidfw_firstmatch_enabled, 0,
     "Disable/enable match first rule functionality");
 
 static int


At this point you've got to wonder if keeping the old behavior would be better though.